I'm university student studying for my certification exam, and I was doing some reviewing today when I found a question that I can't find an answer to.
Basically, in the CCNA3 2.4.1 Cisco Netacademy online materials, it talks about encrypting passwords in the config. To quote the materials:

"""
Note: The encryption standard used by the service password-encryption command is referred to as type 7. This encryption standard is very weak and there are easily accessible tools on the Internet for decrypting passwords encrypted with this standard. Type 5 is more secure but must be invoked manually for each password configured.
"""

This is what confuses me. It says that you can manually invoke Type 5 security (which is md5 hashing, also used with enable secret) for each password configured. But by default, it uses Type 7 encryption which is a basic and weak encryption method usually used to guard against over the shoulder snooping at running-configs etc.

I found that it says, when referring to extra optional commands that can be used with the enable password command.

"""
enable password [level level] {password | [encryption-type] encrypted-password}
Encryption-Type: (Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router).
"""

This is for the enable password command and it says default encryption type is 5 using IOS version 12.2. But when I use service password-encryption on a switch that has 12.2 IOS the running-config shows: "enable password 7 121AOC041104" - the 7 meaning Type 7.

So, as you can see. I'm confused. There are contradictions concerning the default Type of encryption used with enable password. Although the netacademy resources are a few years old, actual testing with switches and using the service password-encryption command support the netacademy materials. Whereas the Cisco site quotes type 5 being the default using one of the latest IOS versions.

Basically, my question is, despite all of these confusions, is it possible to use enable password to get a Type 5 encryption (and this would be evident in the running-config) or do I have to stick with enable secret to get my Type 5 encryption?

Thanks for reading and if you have an answer, please try to provide a reference but if you can't be bothered to, answer anyway. ;P

Oh and please tell me if I have posted this in the wrong QA site. I wasn't sure if it should go here or in the Server Fault QA.
–
mitchApr 28 '11 at 14:41

I believe that it is on topic in both and you might be interested in cross posting it. BTW md5 are not very secure any way.
–
KilledKennyApr 28 '11 at 15:11

1

@WZeberaFFS: Note that cross-posting is strongly discouraged. @mitch: The question looks on-topic on both sites. Let it stand here since that's where you asked it. (A moderator can migrate it if you change your mind, but migrated questions typically get less attention.)
–
GillesApr 28 '11 at 15:46

2 Answers
2

Use enable secret -- if nothing else, it's the solution that works on "legacy" versions, even if it has been changed in newest releases.

(Apart from that, avoid local accounts. The only time a local account should be used is when there is a major problem in progress that prevents the router from communicating with an AAA server. Use TACACS+ when possible, or DIAMETER for those that support it.)

Good answer here, for any system that has access to a centralized authentication service. Don't use local accounts unless absolutely necessary, and use the strongest method of protection available for those that must exist.
–
IsziApr 28 '11 at 20:39

I can't help with your basic problem, but this should help motivate folks to get it right, as your question asks. It is depressing hearing over and over how badly broken password storage is on important platforms.